[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution - THE OFFICIAL BLOG OF THE SBS "DIVA"
Fri, Apr 13 2007 12:11 bradley

Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution

http://msmvps.com/blogs/bradley/archive/2007/04/12/windows-dns-server-advisory.aspx

http://www.microsoft.com/technet/security/advisory/935964.mspx

Remember our DNS security issue from yesterday?  One clarification that I need to make is that while port 4125 is "open" in that range from 1000-5000 it's not "listening". Port 4125 has to be open in your routers, but on the server, it's not really open, and doesn't do it's validation/hand off process until after you log onto the Remote Web Workplace portal.  So you need to be authenticated on the system and only after that time does the port start to listen and process RPC processes.

Dr. J blogs about if you want to do it on a bunch of machines, but on single ones, it's a quick reg edit.

 

1.

On the start menu click 'Run' and then type 'Regedit' and then press enter.

2.

Navigate to the following registry location:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters”

 

3.

On the 'Edit' menu select 'New' and then click 'DWORD Value'

4.

Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.

5.

Double click on the newly created value and change the value's data to '4' (without the quotes).

 

 

6.

Restart the DNS service for the change to take effect.

Obviously stop it and restart it is enough.

Am I seeing a lot of chatter about this one?  Not a lot yet.  SANS had the initial report and it looks like it's in "targeted attack" not wormy thing....yet...  Do I feel that the way RPC or Remote Procedure Calls enter our network so that more often than not they are from authenticate connections means that like Slammer and Blaster, a risk of this one is less?  Do I not see this up on Metasploit at this time so that what I'm doing now is testing this out on a single machine to see the impact?  Yes that is what I'm doing.  We're in "test mitigation" and respond accordingly mode right now.

I'm not ready to recommend shooting this out just yet until I make sure all is well.  I'm letting it "cook" a bit on this Domain controller to ensure there are no "gotchas".

Filed under:

# Metasploit Exploit Added

Saturday, April 14, 2007 10:08 AM by hdm

Heads up, a module is now available in the development tree of Metasploit 3:

http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/dcerpc/msdns_zonename.rb

# How to protect and NOT patch

Sunday, April 15, 2007 2:04 PM by E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

Everyone aware that there is an issue with a unpatched vulnerability in DNS correct? http://blogs.technet.com/msrc/archive/2007/04/13/more-information-on-microsoft-security-advisory-935964.aspx

# The KB 935964 DNS Server Vulnerability and SBS

Monday, April 16, 2007 4:15 PM by The Official SBS Blog

[Today's post comes to us courtesy of Mark Stanfill] If you're running SBS, you should be aware of a

# Vulnerabilidade no RPC

Thursday, May 17, 2007 5:35 PM by Carlos Fernando Paleo da Rocha
SBS MVP in Brazil

Amigos, foi descoberta uma vulnerabilidade no RPC que pode proporcionar a execução de código remoto por